Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Network Is Infected


  • Please log in to reply
6 replies to this topic

#1 pinouye

pinouye

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 March 2008 - 06:52 PM

In our small office we have about 10 servers and the same amount of workstations. It seems like there are a bunch of viruses, etc. everywhere. I've been working through by using scanning software such as Webroot, MWAV, etc. and it seems to pick up some items and removes them, but then they seem to come back. I really need assistance in innoculating our environment and getting control of my network. All your help is appreciated.

Our servers are both Windows 2000 SP4 and Windows 2003 SP1. I tried running Hijackthis on a Windows 2003 server and it does not work.

Some items of note:

1. Some servers lose any and all shares (even IPC$ is removed)
2. I see a bunch of 17PHOLMES1148.exe running services
3. Also MROFUNI1148.exe running services

Thanks for your help in advance.

BC AdBot (Login to Remove)

 


#2 pinouye

pinouye
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 March 2008 - 09:44 PM

I know that my post was very general (and a huge request, actually). But if someone can give me some good steps to work on 1 workstation, then that should suffice to replicate on the other servers and workstations.

Our environment is mixed with Windows 2000, Windows 2003, and Windows XP.

Thanks again.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 AM

Posted 07 March 2008 - 08:44 PM

We will not be able to help you clean each and every computer, but we can give some general advice on what to do.

First and foremost, make sure every computer has the latest security updates from Microsoft. This will alleviate some of the worms reinfecting your computers.

Another problem with network outbreaks is that when you clean one machine, another infected machine runs around reinfecting everyone again. Due to this, during your overall cleanup process make sure every computer has a firewall enabled to block network infections from attacking the newly cleaned computer. Servers of course will have to be cleaned last as you need to keep those open during the removal process.

Invest in quality antivirus products like kaspersky or nod32 for each workstation. At a minimum run the web scan from kaspersky on each machine to see what it detects. Kaspersky has excellent detections for a lot of the newer infections.

Run some of the free antimalware tools:

Super Antispyware
Malwarebytes's anti-malware

You really need to run a whole battery of apps at each computer as there is no one "end-all" application that can do it. Each app has different detections so throwing a bunch at a computer would provide the highest detection rate.

You can also use a program like tcpview to monitor a computers internet connections if your concerned with backdoors and worms.

You now need to block the users from getting reinfected. A good AV software with realtime protection will help. Using SpywareBlaster and the MVP Hosts is also a great way of keeping your workstations from being reinfected.

You should also invest in a firewall that has some sort of content filtering so you can restrict your workstations from download and installing executables. There are some reasonably priced firewalls that contain this type of protection.

Last but not least, educate your users. If they keep doing what they are doing, nothing will protect you from malware.

Hope this helps and feel free to ask me any questions. If you have some $$$ to throw at it, I can give you even more elaborate practices to go with :thumbsup:

#4 deerichards

deerichards

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 16 March 2008 - 11:47 AM

I donít know if this will help but we just set up a temporary method to help prevent re-infection on a very large network. All of the Windows 2000 servers kept getting re-infected with a.exe, msmsgs.exe and rundll32.exe. Iím not sure which viruses, in addition to Smitfraud, use these executables. Shutting down all the thousands of computers on the network and cleaning them one by one is not an option. None of the software packages have helped up to this point.

For this to work you must know which executables that need to be stopped. Ours were system32/a.exe, system32/msmsgs.exe and rundll32.exe in the windows directory. Do not use this process if the executables are the valid Windows executables. Our executables were not a part of the Windows operating systemÖjust hidden, read-only files with no information in the properties.

In order to stop the re-infection, we created dummy executables for a.exe, msmsgs.exe and rundll32.exe. In safe mode, the original files were replaced with these dummy files. The dummy files were created to run and exit. The file attributes were set to read-only and hidden. All registry entries for these executables were deleted (the only one we found so far is rundll32.exe in the startup).

When each server was rebooted, the server does not appear to be re-infected. It seems that the existence of these files stops the infiltration because the virus thinks it is already running. This is not a full solution by any means; however, it does allow the servers and provides valuable time to look for a complete solution.

Hope this helps.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 AM

Posted 17 March 2008 - 02:03 PM

Not a bad idea. Be careful, though, malware tends to not be smart and just overwrites itself not caring about permissions etc. So this may work and it may not. I am glad in your case it did.

Didn't realize there were that many computers. You had mentioned in your original post that it was 10 computers.

Do you know what registry name msmsgs.exe was running under? I may be able to help pin down what particular malware it is.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:55 AM

Posted 17 March 2008 - 03:17 PM

Didn't realize there were that many computers. You had mentioned in your original post that it was 10 computers.


That's because deerichards isn't pinouye, the OP. :thumbsup:

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 AM

Posted 17 March 2008 - 03:30 PM

LOL...and your right :thumbsup: Sorry about that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users